We're Not Your Enemies; We're Your Customers

Introduction"We're not your enemies; we're your customers." This was said
about Adobe during the protest in front of their Seattle office
yesterday, but it could apply to any company that prosecutes its
users under the Digital Millenium Copyright Act (DMCA). One must
consider both those cases that have happened (2600/DeCSS) and those
that have not: what if a future version of MS Word used an
encrypted format to make it illegal for WordPerfect, AbiWord,
catdoc and the rest to work with .DOC files? Yesterday, though, it
was Adobe who was in hot water because of a Russian programmer
named Dmitry Sklyarov. This article looks at one of the protests
staged Monday to free Sklyarov, discusses why the DMCA is bad for
programmers in particular and offers some suggestions for future
action. Oh, and there are also some pictures of the protest.Adobe's beef with Sklyarov was that his company, Elcomsoft,
sold a program that converted Adobe's encrypted eBook format to
ordinary PDF. This program is legal in its home country (Russia)
and practically every country in the world, and would have been
legal in the United States until the Digital Millenium Copyright
Act of 1998. So when Sklyarov came to the US to give a talk atDEF CON about the
weaknesses of Adobe's eBook encryption (another topic Adobe didn't
want publicized), Adobe had the FBI arrest him, because even
talking about weaknesses in a company's encryption format is
illegal under the DMCA, if the format is used for copyright
protection.Later, we'll get into some legitimate uses for third-party
decryption (including exercising your Fair Use rights and verifying
that the product is indeed secure), but for now let's look at how
the computing community responded to this event.The Picnic and the ProtestThe Electronic Frontier
Foundation, a lobbying organization that has long supported
individual freedom in the digital age and staunchly opposes the
DMCA, launched a grassroots campaign to free Dmitry, expose what
Adobe is doing and repeal the DMCA. Meanwhile, thefree-sklyarov
mailing list was created and was logging over three hundred
messages a day, as people worked over the weekend to organize
protests in 10-12 cities including San Jose, Seattle and Moscow.
The speed at which this was accomplished is noteworthy. The arrest
was seven days ago, local coalitions and the international group
were stitched together four days ago, and many of the protests took
place yesterday.The Seattle group coalesced around theseattle-sklyarov
list, gaining members by word of mouth. There are some fifty people
on the list. We had a strategy session Saturday evening at Beth's
Cafe in north Seattle. Five people attended, and the biggest topic
was whether to picket Adobe. The EFF had called off the protests
because it was in the middle of negotiations with Adobe (at Adobe's
headquarters in San Jose, California) and wanted to give the
company a chance. Most groups decided to picket Adobe anyway. A few
(e.g., Portland, Oregon) decided to delay their protests to see how
the negotiations would go. The Seattle group was pretty evenly
divided. In the end, we decided to split into two groups: the
"protesters", who would picket Adobe, and the "EFF contingent", who
would hold a rally (euphamistically called a "picnic") at nearby
Gasworks Park and await word by cell phone from the EFF on how the
negotiations were going. Some were critical of the EFF's decision
to halt the protests but wanted to honor their request. We figured
that Adobe, knowing that the picketers had reinforcements nearby
(whom the Adobe executives could just barely see out of the corner
of their window), would feel pressured to act responsibly in the
negotiations, in order to prevent the reinforcements from joining
the picketers.It should be noted that there was no pressure to protest or
not to protest. Everybody was asked whether they wanted to picket
at this time, and everybody's preference was honored. There was
full respect and cooperation between the two groups, which was the
reason for their success.Monday morning, both groups assembled at 11 a.m. in Gasworks
Park. There were 30-40 people. The first order of business was a
poster-making party. Two local TV stations interviewed the
organizer, Neale Pickett, and shot footage, but it didn't make
yesterday's news. (However, the Seattle Post-Intelligencer ran anarticle
today.)Then the picketers went off to the Adobe building and the
"EFF contingent" stayed in the park for a "picnic". (But we hadn't
had the foresight to bring food.) A phone call came in from the San
Jose group that they had 85 protesters, but no word came from the
EFF. Finally, somebody told us that the media would not cover the
event unless we got more picketers, so the rest of us decided to
join them. We marched the thirteen blocks to the People's Republic
of Fremont (which is a wacky neighborhood in of itself) and joined
the picketers, who were walking back and forth in front of an
outdoor cafe on the first floor of the Adobe building. (We were
hoping some Adobe executives would see us as they took their lunch
break.)Our signs read, "FREE DMITRY", "CODING IS NOT A CRIME" and
other slogans. Some carried US flags to show that our beef was not
with our country but with certain laws. One guy had a poster with a
hammer and sickle symbol to demonstrate the irony that arresting
somebody to prevent competition is something we'd expect to see in
the Stalinist Soviet Union, not in the land of the free; instead,
we have a Russian programmer in jail because of an intrusive,
speech-restricting US law and a US company.Of course, you cannot have a protest in Seattle without
awakening people's memories (and fears) of WTO, so we maintained
the utmost of decorum. We remained polite to Adobe employees and
stepped aside for them to pass. We stayed off the street and even
obeyed the stop lights. The cops hid themselves discreetly behind a
parking lot across the street; then, deciding we were not a menace
to society, they sped off.A few pedestrians stopped to ask us what this was about. One
asked us, "Is this about the DVDs?" We replied, "No, this is a
different case, but it's the same law", and gave him the
background.A few protesters drifted away one by one, then at 1 p.m. we
folded up shop and walked back to the park. We returned to our
homes and workplaces and discovered the good news: Adobe had agreed
to withdraw their complaint against Sklyarov and would recommend
his release. The EFF had convinced Adobe that holding this man was
not necessary.Of course, that's not the end. Sklyarov's fate is in the
hands of the US Justice Department, which still considers him a
criminal. Many people are still mad at Adobe for sic'ing the FBI on
Sklyarov in the first place, for agreeing to his release only to
avoid bad PR, for remaining unrepentant about encryption, reverse
engineering and the DMCA in general, and for miscellaneous other
sins. Some people are mad at the EFF for accommodating Adobe, but
the overriding concern is the DMCA and the fact that it is still a
law and enforceable. PicturesClick here to view.Effects of the DMCA on ProgrammersMuch has been written about the DMCA's ability to prevent
users from exercising their Fair Use rights with regard to products
they have purchased. US copyright law has long recognized the
rights of individuals to read a book whenever and wherever they
want, to lend it to others, to quote portions in a review or
satire, to photocopy portions for personal study or to discuss a
point with somebody, to sell it at a used bookstore, and to read it
anonymously (without telling the publisher who is reading which
portions when). Likewise, we have the right to record an audio CD
onto tape (format conversion), to play it in any CD player we wish
and to play it anonymously. The 2600/DeCSS suit is about format
conversion and "any player". Linux users wrote a driver to play
their DVDs on Linux (the company didn't provide such drivers) and
were promptly threatened under the DMCA (infraction: circumventing
encryption that is intended to provide copyright protection). A web
site was also sued under the DMCA for linking to information about
DeCSS (infraction: talking about circumventing encryption that is
intended to provide copyright protection). Note that neither charge
alleges actual copyright infringement but only that the technology
is capable of it. It is also capable of
enabling one to exercise one's Fair Use rights and, in Sklyarov's
case, to convert an eBook to a format blind readers could
read.I would like to focus on another aspect of the DMCA that has
not been written about as much: its effect on programmers. Alan
Cox, a prominent British programmer and the #2 man on the Linux
kernel development team, resigned his position at the Usenix
conference,writing,
"With the arrest of Dimitry Sklyarov it has become apparent that it
is not safe for non-US software engineers to visit the United
States.... Until the DMCA mess is resolved I would urge all non-US
citizens to boycott conferences in the USA and all US conference
bodies to hold their conferences elsewhere."I asked a security/cryptography programmer in the Seattle
group how the DMCA is affecting him and programmers he knows. He
said that 75% of the speakers at DEF CON could have been nabbed for
the same reason Sklyarov was, and that the DMCA criminalizes normal
and necessary practices in software engineering, especially those
in security-sensitive industries. Here is an outline of the problem
in his own words:

In a capitalist nation such as the United States,
many of the companies directly influence the rejection or passing
of new laws that effect said companies. The DMCA is a perfect
example of this. Here is the effect of the DMCA on companies'
products.
FACT: The DMCA directly impairs any third-party entity from
validating that the methods and implementation, for a given piece
of software, are valid, if, and when, those methods and
implementations are secured by any method of encryption or
comparable security. It is illegal to reverse engineer these
processes to determine provable validity of the software and its
methods.FACT: Therefore, it is illegal to verify that any secured
software algorithm contains both the features that were promised to
the user, or that the software does not put the user at risk when
using the software.FACT: The only entity that can promise these properties are
included in the software is the software company itself. A software
company can, and usually does, choose to sell a software product
that has not been fully tested beyond the extent that it will be
used by the average customer, since the company has a financial
interest in the sales of the software product. It can be assumed
that no product in existence, when developed under a financial
budget, will be completely error and/or bug free, since it would be
financially burdensome to prove that there were no errors
whatsoever in the software product.FACT: Henceforth, under DMCA, it is illegal for anyone to
verify through reverse engineering that a company's software
product is performing the functions that it should be performing.
Software companies will leverage this law to the maximum potential.
Today in the software security field, a bug in a software program
can turn into lost revenue and, in many cases, bad publicity. This
law makes the third-party finders of these bugs punishable in a US
Federal Court.Why Would a Company Favor DMCA?FACT: Protect your software algorithms and methods with
security, and no hacker or engineer will be allowed to reverse
engineer your program legally.Will this stop the people who crack software and reverse
engineer security algorithms?FACT: No. The majority of people who crack software and
reverse engineer algorithms do it for the sake of learning, or are
doing third party validation of network security. People who crack
software will continue, as their real identities are not publicly
known, and they therefore have no more chance of getting caught
than they do now. Network security engineers will relocate and
continue to find flaws in the security algorithms because it is the
"right" thing to do. The majority of network engineers are looking
out for the rights of the American people at all times. This is the
main focus behind network security: the security and right to
privacy for any user of a computer on a network.Why do You Want DMCA Revoked if You are an Engineer?FACT: Software companies can lie and cheat about their
software products. What they do or do not do will be illegal to
find out, for every person or entity in the United States.Would you trust that every software product from every
software company in the United States not only does everything the
marketing people say the product does, but also has no flaws in its
security algorithms?FACT: Trusting every company also suggests that you have to
trust every person that has ever touched the software product from
that company. It also means you trust that no person touching the
software product has made a mistake.Are you willing to put the security of yourself, your
friends, your family and your personal information in the hands of
a software company that says, "Our product is secure and is
impenetrable from hackers", knowing that the DMCA protects that
company from ever being proven that the product, in fact, is not
secure at all?No. I generally have faith that companies and people alike do
things in good faith. However, due to the number of security flaws
found in software over the last many years, is there any question
why this law is only going to allow software companies to have more
freedom to get away with shoddy coding practices?One last item. Criminal hackers that indeed use security
flaws for personal gain are not scared of the DMCA. These engineers
are already doing illegal acts. If you have stolen five million
dollars from a bank, the last thing you are worried about is a
speeding ticket from the local police. In short, no criminal will
care about the DMCA laws, as those laws are below the laws they
either have already broken or intend on breaking. The DMCA protects
only the interests of companies that cannot develop solidly coded,
secure software products. Companies that embrace the DMCA are
merely embracing the power that allows them to sell their software
regardless of its quality or security.These opinions do not necessarily reflect the opinions or
views of my employers or friends.I am a software and network engineer who recently retired
from Laplink, Inc. My name is Drew "Ender" Miller, and I have been
active in network security for over five years. I have spoken twice
at the DEF CON network security convention in Las Vegas, NV.
Currently, I contract to companies for security software
development and validation of software network security
algorithms.

Where Do We Go from HereJessica Litman wrote inDigital
Copyright that when Congress debates copyright law, the
publishers and media companies make sure their interests are
represented (by virtue of their campaign contributions, cynics
would say). But the public and libraries are rarely consulted, as
if their rights didn't exist. This is in spite of the fact that the
Constitution, the courts and traditional copyright law have long
recognized the public's right to a short copyright term (so that
items will fall into public domain sooner), to Fair Use, and to the
sharing of knowledge and ideas.
For many people, the Sklyarov case was their first
opportunity to voice their interests in the copyright debate.
Hopefully, they will continue to demand their place at the table
until their concerns are satisfied. But picketing is not the only
form of action. For instance, you can:

write a letter to your Congressmen.

meet with your Congressmen and ask them where they
stand on the issue (so you can decide whether to vote for them next
time).

boycott DVDs (yes, I know that will hurt).

tell your friends, family and co-workers about the
dangers of the DMCA and how it will soon deprive them of rights
they have long considered unshakeable.

tell your friends in Canada, Europe and other
countries about what's happening in the US, and how they must not
allow the DMCA to spread to their country.

if you're a programmer or working on a software
project (whether commercial or free), consider whether it might
infringe on the DMCA and, if so, consider moving the project and
yourself outside the US. Be sure to tell the media and your
Congresspeople loudly that you are leaving because of the DMCA, and
outline the economic, cultural and prestige losses the United
States will suffer.

It's hard to explain the problems with the DMCA to somebody
outside the Slashdot world. But to succeed in repealing it or
having it declared unconstitutional, we must show John Non-Tekkie
and Jane Not A Computer User how the DMCA affects them, that in the
future utopia when all books are digital, their Fair Use rights may
exist but they'll have no way to legally exercise them, that they
may be prohibited from even discussing the issue, and that they may
have to buy shoddy or insecure products because competing better
products have been declared illegal. That should get them hopping
mad too, and then they'll be writing to their
Congressmen demanding to know why their rights aren't being
protected. Notable quotes

Who would publish or invent anything if the payment
could be circumvented? Nobody except Plato, Homer, Galileo, Da
Vinci, Gutenberg, etc.